Meanwhile, Grego AI, which independently verified Hexens’ proof of concept, estimated that approximately $250 million in Aptos’ native TVL was directly at risk based on the near 90% success rate, aside from broader cross-chain exposure.
The risk of 70 billion dollars
The vulnerability, discovered by Vahe Karapetyan, CTO and co-founder of Hexens, could, if left unchecked, have exposed a much larger systemic risk surface across bridges, stablecoins, DeFi protocols and centralized exchanges, costing billions and creating a crisis far beyond Aptos itself.
And all it would have taken was a few thousand dollars in servers.
The total cost to put in place the infrastructure needed to run this experiment was approximately $3,000 for a server that simulated an environment designed to approximate Aptos main network conditions. Although if a malicious attacker had actually used the exploit, it would have required considerably less, without requiring validator access, insider knowledge, or privileged protocol permissions.
The team ran the exploit path approximately 20 times in a simulated environment and succeeded 17 or 18 times. The two or three failed attempts did not stop the network, meaning the attacker could have simply had another window to try again.
The simulation was built to closely approximate real network conditions, using a cluster of over 30 validator nodes, a mainnet-like staking distribution, organic transaction traffic, and strong execution contention. The Hexens team also tested what they call “unarmed calibration techniques”: trials that measured block and mempool build conditions before committing to an armed attempt. The firm said those steps materially reduced the uncertainty introduced by the exploit’s probabilistic elements, making the attack path more reliable in practice.




